We have all heard about the privacy breaches like Cambridge Analytica, Blue Cross/Blue Shield Anthem breach, Facebook missteps and numerous other incidents. Those breaches have prompted state lawmakers across the country to take action and the outcomes are shaping up to have significant impacts on businesses.
California is leading the way in this effort with the California Consumer Privacy Act (CCPA), set to take effect in January 2020. Eighteen states legislatures are following in their footsteps in 2019. More are sure to jump on the bandwagon soon.
This will be a hot topic over the next few years and is worth paying attention to state and federal legislative efforts.
What is the CCPA?
The new crop of privacy laws are an attempt to fundamentally hand control of a person’s data back to the consumer. In 2018, California passed into law a set of rights that allow a consumer to discover what information a company possesses on them, the business purpose, with whom they share or sell the data. More importantly, it gives the consumer the opportunity to tell the business to stop sharing or selling the data and, lastly, to delete the data.
While some differences exist, the intent is the same in all the other states.
Does CCPA Apply to Me?
If you meet any one of the following criteria and have data on even one California consumer in your data, it applies to you:
1) Gross annual revenue of $25 million or more, OR
2) Possess the personal information of 50,000 or more consumers, households, or devices, OR
3) Derive 50 percent or more of annual revenue from selling consumers’ personal information.
As the law is currently written, none of the criteria are limited to California, but expand to companies across the United States and cover all California residents in their databases. The state Attorney General will issue rulings by July 1, 2019 that may clarify whether these criteria apply to 50,000 consumers in California or beyond. Watch for additional rulings that will likely change how the law impacts businesses.
How Will It Impact Me?
Second, company privacy policies should be updated with CCPA criteria. The policies must list consumer rights, including data collected, categories of personal information, to whom information is disclosed, and methods for submitting consumer requests.
Third, they will need clearly defined processes to respond to consumer requests. Consumers can ask that their data no longer be shared, but they can also tell a company to delete the information. CCPA dictates that under either circumstance a company cannot discriminate against the person and must honor the request. Businesses must be prepared to handle these requests within 45 days.
The CCPA was a hastily written law that contains a lot of ambiguity. The California legislature is currently considering several amendments that could strengthen the law in many ways, such as giving consumers the right to private action or by removing the 30 day cure period to address deficiencies. As noted above, the Attorney General will issue guidelines as well that may change the impact.
What Can I Do to Prepare?
In any case, it is worth watching the development of this new law and start preparing for the core intent of the law. Regardless of the final form of the law in California, several other states are right behind with their own versions. Privacy is about to change. It is in every company’s interest to seek legal guidance on this matter so they are ready.
Check back often for updates. Netchex’s compliance team will be watching and blogging about these changes as well.